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• Lots of people get cryptography wrong: 

» Google Keyczar (timing side channel). ^ Stupidity 

a SSL (session renegotiation). ^ Stupidity 

9 Amazon AWS signature method 1 ^ Using a tool wrong 

(non-collision-free signing), 
a Flickr API signatures ^ Using the wrong tool wrong 

(hash length-extension). 
9 Intel HyperThreading ^ Unusual environment 

(architectural side channel). 
9 WEP, WPA, GSM... (various flaws). ^ Unusual environment 

• Cryptography is usually broken for one of three reasons: 

9 Stupidity. 

9 Using the wrong tools or using them in the wrong way. 
9 Unusual environments. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography in 1 hour? 



Conventional wisdom: Don't write cryptographic code! 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
» Use SSL for transport. 



civaOtarsnap.com Everything you need to know about cryptography in 1 ho 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 



civaOtarsnap.c 



Everything you need to know about cryptography in 1 ho 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 

• Reality: Most applications only need a small set of 
well-understood standard idioms which are easy to get right. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 

• Reality: Most applications only need a small set of 
well-understood standard idioms which are easy to get right. 

• 55 minutes from now, you should: 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 

• Reality: Most applications only need a small set of 
well-understood standard idioms which are easy to get right. 

• 55 minutes from now, you should: 

a Know what to do in 99% of the situations you'll encounter. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 

• Reality: Most applications only need a small set of 
well-understood standard idioms which are easy to get right. 

• 55 minutes from now, you should: 

a Know what to do in 99% of the situations you'll encounter, 
a Know where some of the common mistakes are. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography in 1 hour? 



a Conventional wisdom: Don't write cryptographic code! 
a Use SSL for transport, 
a Use GPG for protecting data at rest. 

a "If you're typing the letters A-E-S into your code, you're doing 
it wrong." — Thomas Ptacek 

• Reality: You're going to write cryptographic code no matter 
what I say, so you might as well know what you're doing. 

• Reality: Most applications only need a small set of 
well-understood standard idioms which are easy to get right. 

• 55 minutes from now, you should: 

a Know what to do in 99% of the situations you'll encounter, 
a Know where some of the common mistakes are. 
a Know when you're doing something non-standard and you 
really need to consult a cryptographer. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 
» "Three Bs": Bribery, Burglary, Blackmail. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 
» "Three Bs": Bribery, Burglary, Blackmail. 
» Fourth B: (Guantanamo) Bay. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 

• Attacking people is almost always more dangerous than 
attacking data. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 

• Attacking people is almost always more dangerous than 
attacking data. 

a Data doesn't hold press conferences to complain that it was 
tortured! 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 

• Attacking people is almost always more dangerous than 
attacking data. 

a Data doesn't hold press conferences to complain that it was 
tortured! 

» (The information, not tiie android.) 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 

• Attacking people is almost always more dangerous than 
attacking data. 

a Data doesn't hold press conferences to complain that it was 
tortured! 

9 (The information, not tiie android.) 

a The purpose of cryptography is to force the US government 
to torture you. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Why cryptography? 



• Cryptography protects against some attacks, but not all. 

» "Three Bs": Bribery, Burglary, Blackmail, 
a Fourth B: (Guantanamo) Bay. 

• Attacking people is often more expensive than attacking data. 

• Attacking people is almost always more dangerous than 
attacking data. 

a Data doesn't hold press conferences to complain that it was 
tortured! 

9 (The information, not tiie android.) 

a The purpose of cryptography is to force the US government 
to torture you. 

a Hopefully they'll decide that your information isn't that 
important. 
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• Cryptography has three major purposes: Encryption, 
Authentication, and Identification. 

» Encryption prevents evil people from reading your data. 
» Authentication (aka. Signing) prevents evil people from 

modifying your data without being discovered, 
a Identification prevents evil people from pretending to be you. 

• Sometimes Authentication and Identification are performed in 
a single step: "this message hasn't been modified since I 
wrote it" and "I'm Colin" are replaced by a single "this 
message hasn't been modified since Colin wrote it". 

9 In most cases you will want to put together two or more 
cryptographic components. 
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Cryptographic language 



• The plaintext is the data we care about. 

• The ciphertext is the data we evil people get to see. 

• A key is used to convert between these. Sometimes we need 
several keys. 

• Symmetr/c cryptography is when converting plaintext to 
ciphertext uses the same key as converting ciphertext to 
plaintext. 

» Asymmetric cryptography is when the two directions use 
different keys. 

• Ideal cryptographic components don't really exist, but if a 
cryptographic component is recognizably non-ideal, it is 
generally considered to be broken. 
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9 An ideal hash function H{x) is a function mapping 
arbitrary-length inputs to n-bit outputs which is: 
a Collision-resistant, and 
a One-way. 
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9 An ideal hash function H{x) is a function mapping 
arbitrary-length inputs to n-bit outputs which is: 
a Collision-resistant, and 
a One-way. 

a Collision-resistant means that it takes f» 2"/^ time to find two 
inputs which have the same hash. 

9 One-way means that given a hash, it takes ^ 2" time to find 

an input which has that hash. 
• Nothing else is guaranteed! 

a In particular, knowing H{x) might allow an attacker to 
compute H{y) for some values of y. 
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9 DO: Use a hash when you can securely distribute H{x) and 
want to validate that a value x' which you received insecurely 
is in fact equal to x. 

• DON'T: Use MD2, MD4, MD5, SHA-1, RIPEMD. 

• DON'T: Put FreeBSD-8.0-RELEASE-amd64-discl.iso and 
CHECKSUM. SHA256 onto the same FTP server and think 
that you've done something useful. 
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Hashing 



• DO: Use SHA-256. 

9 DO: Consider switching to SHA-3 within the next 5-10 years 
(once NIST decides what it is, probably in 2012). 

9 DO: Use a hash when you can securely distribute H{x) and 
want to validate that a value x' which you received insecurely 
is in fact equal to x. 

• DON'T: Use MD2, MD4, MD5, SHA-1, RIPEMD. 

• DON'T: Put FreeBSD-8.0-RELEASE-amd64-discl.iso and 
CHECKSUM. SHA256 onto the same FTP server and think 
that you've done something useful. 

• DON'T: Try to use a hash function as a symmetric signature. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 hour 



Symmetric authentication 



9 Symmetric authentication is performed by providing a 
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if given arbitrary pairs (x, fk{x)). 
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arbitrary-length inputs to n-bit outputs such that it takes 

2" time for an attacker to generate any pair (y, fk{y)) even 
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a Sometimes called a "random function". 
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fk{y) for some other y. 
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Symmetric authentication 



9 Symmetric authentication is performed by providing a 
message authentication code (MAC). 

9 An ideal message authentication code fk{x) uses a key to map 
arbitrary-length inputs to n-bit outputs such that it takes 

2" time for an attacker to generate any pair (y, fk{y)) even 
if given arbitrary pairs (x, fk{x)). 

a Sometimes called a "random function". 
• Unlike hashing, knowing fk{x) does not allow you to compute 
fk{y) for some other y. 

a The Flickr API used hashing to authenticate API requests 
where they should have used a MAC. 
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• DO: Use HMAC-SHA256. 

a DO: Guarantee that you cannot have two different messages 
result in the same data being input to HMAC-SHA256. 
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• DO: Use HMAC-SHA256. 

a DO: Guarantee that you cannot have two different messages 
result in the same data being input to HMAC-SHA256. 
a Amazon and Flickr both got this wrong. 

• AVOID: CBC-MAC. 

a Theoretically secure, but exposes your block cipher to attacks. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Symmetric authentication 



• DO: Use HMAC-SHA256. 

a DO: Guarantee that you cannot have two different messages 
result in the same data being input to HMAC-SHA256. 
a Amazon and Flickr both got this wrong. 

• AVOID: CBC-MAC. 

a Theoretically secure, but exposes your block cipher to attacks. 

• AVOID: Polyl305. 
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Symmetric authentication 



• DO: Use HMAC-SHA256. 

a DO: Guarantee that you cannot have two different messages 
result in the same data being input to HMAC-SHA256. 
a Amazon and Flickr both got this wrong. 

• AVOID: CBC-MAC. 

a Theoretically secure, but exposes your block cipher to attacks. 
» AVOID: Polyl305. 

» If your name is Daniel Bernstein, go ahead and use this. 
Otherwise, you're never going to produce a secure and correct 
implementation. 
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Symmetric authentication 



• DO: Use HMAC-SHA256. 

a DO: Guarantee that you cannot have two different messages 
result in the same data being input to HMAC-SHA256. 
a Amazon and Flickr both got this wrong. 

• AVOID: CBC-MAC. 

a Theoretically secure, but exposes your block cipher to attacks. 
» AVOID: Polyl305. 

» If your name is Daniel Bernstein, go ahead and use this. 
Otherwise, you're never going to produce a secure and correct 
implementation. 

a DON'T: Leak information via timing side channels when you 
verify a signature. 
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Side channel attacks 



• A side channel is any way that an attacker can get 
information other than the ciphertext. 
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Side channel attacks 



9 A side channel is any way that an attacker can get 
information other than the ciphertext. 

9 Cryptosystems are defined by their mathematical design, 
whereas side channels are inherently artifacts of how 
cryptosystems are implemented. 
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Side channel attacks 



9 A side channel is any way that an attacker can get 
information other than the ciphertext. 

9 Cryptosystems are defined by their mathematical design, 
whereas side channels are inherently artifacts of how 
cryptosystems are implemented. 

a The most common side channel is timing - how long it takes 
for you to encrypt/decrypt/sign/verify a message. 
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Side channel attacks 



9 A side channel is any way that an attacker can get 
information other than the ciphertext. 

9 Cryptosystems are defined by their mathematical design, 
whereas side channels are inherently artifacts of how 
cryptosystems are implemented. 

a The most common side channel is timing - how long it takes 
for you to encrypt/decrypt/sign/verify a message. 

• Other side channels include electromagnetic emissions 
("TEMPEST"), power consumption, and microarchitectural 
features (e.g., LI data cache eviction on Intel CPUs with 
HyperThreading). 
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Side channel attacks 



• DO: Consult a cryptographer if you're planning on giving evil 
people physical access to anything which does cryptography 
(e.g., smartcards). 
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Side channel attacks 



• DO: Consult a cryptographer if you're planning on giving evil 
people physical access to anything which does cryptography 
(e.g., smartcards). 

9 DO: Consult a cryptographer if you're planning on allowing 
evil people to run code on the same physical hardware as you 
use for cryptography (e.g., virtualized systems). 
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Side channel attacks 



• DO: Consult a cryptographer if you're planning on giving evil 
people physical access to anything which does cryptography 
(e.g., smartcards). 

9 DO: Consult a cryptographer if you're planning on allowing 
evil people to run code on the same physical hardware as you 
use for cryptography (e.g., virtualized systems). 

• DO: Consult a cryptographer if you're planning on releasing a 
CPU which leaks information in new and exciting ways. 
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Side channel attacks 



• DO: Consult a cryptographer if you're planning on giving evil 
people physical access to anything which does cryptography 
(e.g., smartcards). 

9 DO: Consult a cryptographer if you're planning on allowing 
evil people to run code on the same physical hardware as you 
use for cryptography (e.g., virtualized systems). 

• DO: Consult a cryptographer if you're planning on releasing a 
CPU which leaks information in new and exciting ways. 

a Intel probably got this wrong. 
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Side channel attacks 



• DO: Consult a cryptographer if you're planning on giving evil 
people physical access to anything which does cryptography 
(e.g., smartcards). 

9 DO: Consult a cryptographer if you're planning on allowing 
evil people to run code on the same physical hardware as you 
use for cryptography (e.g., virtualized systems). 

• DO: Consult a cryptographer if you're planning on releasing a 
CPU which leaks information in new and exciting ways. 

» Intel probably got this wrong. 

• DON'T: Write code which which leaks information via how 
long it takes to run. 
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Timing attacks 



• AVOID: Key-dependent or plaintext-dependent table lookups 
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Timing attacks 



• AVOID: Key-dependent or plaintext-dependent table lookups. 

» DON'T: Have key-dependent or plaintext-dependent branches 
(if, for, while, foo ? bar : baz). 
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Timing attacks 



• AVOID: Key-dependent or plaintext-dependent table lookups. 

» DON'T: Have key-dependent or plaintext-dependent branches 
(if, for, while, foo ? bar : baz). 

• DON'T EVEN DREAM ABOUT: Writing the following code: 

for (i = 0; i < MACLEN; 

if (MAC_computed[i] != MAC received [i]) 
return (MACJS_BAD); 
return (MAC_IS_GOOD); 
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Timing attacks 



• AVOID: Key-dependent or plaintext-dependent table lookups. 

» DON'T: Have key-dependent or plaintext-dependent branches 
(if, for, while, foo ? bar : baz). 

• DON'T EVEN DREAM ABOUT: Writing the following code: 

for (i = 0; i < MACLEN; 

if (MAC_computed[i] != MAC received [i]) 
return (MACJS_BAD); 
return (MAC_IS_GOOD); 

• DO: Write the following code: 
for (x = i = 0; i < MACLEN; 

X 1= MAC .computed [i] - MAC_computed[i]; 
return (x ? MACJS_BAD : MACJS_GOOD); 
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Timing attacks 



• AVOID: Key-dependent or plaintext-dependent table lookups. 

» DON'T: Have key-dependent or plaintext-dependent branches 
(if, for, while, foo ? bar : baz). 

• DON'T EVEN DREAM ABOUT: Writing the following code: 

for (i = 0; i < MACLEN; 

if (MAC_computed[i] != MAC received [i]) 
return (MACJS_BAD); 
return (MAC_IS_GOOD); 

• DO: Write the following code: 
for (x = i = 0; i < MACLEN; 

X 1= MAC .computed [i] - MAC_computed[i]; 
return (x ? MACJS_BAD : MACJS_GOOD); 
a Google Keyczar got this wrong. 
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Block ciphers 



• Symmetric encryption is usually built out of block ciphers. 
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Block ciphers 



• Symmetric encryption is usually built out of block ciphers. 

• An ideal block cipher uses a key to bijectively map n-bit 
inputs X to n-bit outputs Ek{x) such that knowing pairs (x, 
Ek{x)) doesn't allow you to guess (x', Ei^i{x')) for any 
{x',k') ^ {x,k) with probability non-negligibly higher than 
2-". 
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Block ciphers 



• Symmetric encryption is usually built out of block ciphers. 

• An ideal block cipher uses a key to bijectively map n-bit 
inputs X to n-bit outputs Ek{x) such that knowing pairs (x, 
Ek{x)) doesn't allow you to guess (x', Ei^i{x')) for any 
{x',k') ^ (x, /c) with probability non-negligibly higher than 

a Sometimes called a "random permutation". 
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Block ciphers 



• Symmetric encryption is usually built out of block ciphers. 

• An ideal block cipher uses a key to bijectively map n-bit 
inputs X to n-bit outputs Ek{x) such that knowing pairs (x, 
Ek{x)) doesn't allow you to guess (x', Ei^i{x')) for any 
{x',k') ^ (x, /c) with probability non-negligibly higher than 

a Sometimes called a "random permutation". 

• Usually all we care about is that ^^(x) doesn't reveal 
information about Ei^{x') for x' / x. 
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Block ciphers 



• Symmetric encryption is usually built out of block ciphers. 

• An ideal block cipher uses a key to bijectively map n-bit 
inputs X to n-bit outputs Ek{x) such that knowing pairs (x, 
Ek{x)) doesn't allow you to guess (x', Ei^i{x')) for any 
{x',k') ^ (x, /c) with probability non-negligibly higher than 

a Sometimes called a "random permutation". 

• Usually all we care about is that ^^(x) doesn't reveal 
information about Ei^{x') for x' ^ x. 

» If an attacker can get useful information about a block cipher 
by looking at how it handles different (but related) keys, the 
block cipher is said to be vulnerable to a related-key attack. 
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Block ciphers 



• DO; Use AES-256. 
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Block ciphers 



• DO; Use AES-256. 

• AES-256 is vulnerable to a related-key attack, but this will 
never matter as long as you get other things right. 
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Block ciphers 



• DO; Use AES-256. 

» AES-256 is vulnerable to a related-key attack, but this will 

never matter as long as you get other things right, 
a AES-128 is theoretically strong enough, but block ciphers are 

hard to implement without side channels, and the extra key 

bits will help if some key bits get exposed. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Block ciphers 



• DO; Use AES-256. 

» AES-256 is vulnerable to a related-key attack, but this will 

never matter as long as you get other things right, 
a AES-128 is theoretically strong enough, but block ciphers are 

hard to implement without side channels, and the extra key 

bits will help if some key bits get exposed. 

9 DON'T: Use blowfish. 
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Block ciphers 



• DO; Use AES-256. 

» AES-256 is vulnerable to a related-key attack, but this will 
never matter as long as you get other things right. 

a AES-128 is theoretically strong enough, but block ciphers are 
hard to implement without side channels, and the extra key 
bits will help if some key bits get exposed. 

9 DON'T: Use blowfish. 

• DON'T EVEN DREAM ABOUT: Using DES. 
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Block ciphers 



• DO; Use AES-256. 

• AES-256 is vulnerable to a related-key attack, but this will 
never matter as long as you get other things right. 

a AES-128 is theoretically strong enough, but block ciphers are 
hard to implement without side channels, and the extra key 
bits will help if some key bits get exposed. 

9 DON'T: Use blowfish. 

» DON'T EVEN DREAM ABOUT: Using DES. 

• AVOID: Triple-DES. 
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Block ciphers 



• DO; Use AES-256. 

• AES-256 is vulnerable to a related-key attack, but this will 
never matter as long as you get other things right. 

a AES-128 is theoretically strong enough, but block ciphers are 
hard to implement without side channels, and the extra key 
bits will help if some key bits get exposed. 

9 DON'T: Use blowfish. 

» DON'T EVEN DREAM ABOUT: Using DES. 

• AVOID: Triple-DES. 

• DON'T: Use a block cipher "raw"; instead, use it in an 
established mode of operation. 
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Block cipher modes of operation 



9 A block cipher mode of operation tells you how to use a block 
cipher to protect stream(s) of data. 
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Block cipher modes of operation 



9 A block cipher mode of operation tells you how to use a block 
cipher to protect stream(s) of data. 

• In many cases, the plaintext needs to be padded to a multiple 
of the block size; the block cipher mode of operation will tell 
you how to do this. 
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Block cipher modes of operation 



9 A block cipher mode of operation tells you how to use a block 
cipher to protect stream(s) of data. 

• In many cases, the plaintext needs to be padded to a multiple 
of the block size; the block cipher mode of operation will tell 
you how to do this. 

» Modes of operation usually have funky initialisms: ECB, CBC, 
CFB, OFB, CTR, lAPM, CCM, EAX, GCM... 
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Block cipher modes of operation 



9 A block cipher mode of operation tells you how to use a block 
cipher to protect stream(s) of data. 

• In many cases, the plaintext needs to be padded to a multiple 
of the block size; the block cipher mode of operation will tell 
you how to do this. 

» Modes of operation usually have funky initialisms: ECB, CBC, 
CFB, OFB, CTR, lAPM, CCM, EAX, GCM... 
» Please don't ask me how to expand all of these. 
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Block cipher modes of operation 



9 A block cipher mode of operation tells you how to use a block 
cipher to protect stream(s) of data. 

• In many cases, the plaintext needs to be padded to a multiple 
of the block size; the block cipher mode of operation will tell 
you how to do this. 

» Modes of operation usually have funky initialisms: ECB, CBC, 
CFB, OFB, CTR, lAPM, CCM, EAX, GCM... 
» Please don't ask me how to expand all of these. 

• Most modes of operation provide only encryption; some 
provide authentication as well. 
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Block cipher modes of operation 



a DO: Use CTR mode. 
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Block cipher modes of operation 



a DO: Use CTR mode. 

9 DON'T: Use modes which provide both encryption and 
authentication. 
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Block cipher modes of operation 



a DO: Use CTR mode. 

9 DON'T: Use modes which provide both encryption and 
authentication. 

• DON'T EVEN DREAM ABOUT: Using ECB mode. 
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Block cipher modes of operation 



a DO: Use CTR mode. 

9 DON'T: Use modes which provide both encryption and 
authentication. 

• DON'T EVEN DREAM ABOUT: Using ECB mode. 

• DO: Use a MAC (i.e., HMAC-SHA256) to authenticate your 
encrypted data. 
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Block cipher modes of operation 



a DO: Use CTR mode. 

9 DON'T: Use modes which provide both encryption and 
authentication. 

• DON'T EVEN DREAM ABOUT: Using ECB mode. 

• DO: Use a MAC (i.e., HMAC-SHA256) to authenticate your 
encrypted data. 

a If you think you don't need this, consult a cryptographer. He'll 
tell you that you're wrong. 
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Block cipher modes of operation 



a DO: Use CTR mode. 

9 DON'T: Use modes which provide both encryption and 
authentication. 

• DON'T EVEN DREAM ABOUT: Using ECB mode. 

• DO: Use a MAC (i.e., HMAC-SHA256) to authenticate your 
encrypted data. 

a If you think you don't need this, consult a cryptographer. He'll 
tell you that you're wrong. 

• DO: Verify the authenticity of your encrypted data before you 
decrypt it. 
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Asymmetric authentication 



» An asymmetric authentication scheme uses a signing key to 
transform plaintext into ciphertext and a verification /cey to 
transform ciphertext into either the plaintext or "invalid 
signature" . 
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Asymmetric authentication 



» An asymmetric authentication scheme uses a signing key to 
transform plaintext into ciphertext and a verification /cey to 
transform ciphertext into either the plaintext or "invalid 
signature" . 

» The signing key cannot be computed from the verification key, 
but the verification key can usually be computed from the 
signing key. 
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Asymmetric authentication 



» An asymmetric authentication scheme uses a signing key to 
transform plaintext into ciphertext and a verification /cey to 
transform ciphertext into either the plaintext or "invalid 
signature" . 

» The signing key cannot be computed from the verification key, 
but the verification key can usually be computed from the 
signing key. 

a The ciphertext usually consists of the plaintext plus a 
signature. 
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Asymmetric authentication 



» An asymmetric authentication scheme uses a signing key to 
transform plaintext into ciphertext and a verification /cey to 
transform ciphertext into either the plaintext or "invalid 
signature" . 

» The signing key cannot be computed from the verification key, 
but the verification key can usually be computed from the 
signing key. 

a The ciphertext usually consists of the plaintext plus a 
signature. 

• An asymmetric authentication scheme is considered to be 
broken if an attacker with access to the verification key can 
generate any valid ciphertext, even if he can convince you to 
sign arbitrary other plaintexts. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 

• DON'T: Use PKCS vl.5 padding. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 

» DON'T: Use PKCS vl.5 padding. 

• DON'T EVEN DREAM ABOUT: Using RSA without message 
padding. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 

» DON'T: Use PKCS vl.5 padding. 

• DON'T EVEN DREAM ABOUT: Using RSA without message 
padding. 

» PROBABLY AVOID: DSA. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 

» DON'T: Use PKCS vl.5 padding. 

• DON'T EVEN DREAM ABOUT: Using RSA without message 
padding. 

» PROBABLY AVOID: DSA. 

a PROBABLY AVOID: Elliptic Curve signature schemes. 
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Asymmetric authentication 



• DO: Use RSASSA-PSS (RSA signing with Probabilistic 
Signature Scheme padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, and 
SHA256. 

» DON'T: Use PKCS vl.5 padding. 

• DON'T EVEN DREAM ABOUT: Using RSA without message 
padding. 

» PROBABLY AVOID: DSA. 

• PROBABLY AVOID: Elliptic Curve signature schemes. 

» DON'T EVEN DREAM ABOUT: Using the same RSA key for 
both authentication and encryption. 
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Asymmetric encryption 



• Asymmetric encryption is like asymmetric signing, except the 
opposite way around: Plaintext is converted to ciphertext 
using a public key, but converting ciphertext to plaintext 
requires the private key. 
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Asymmetric encryption 



• Asymmetric encryption is like asymmetric signing, except the 
opposite way around: Plaintext is converted to ciphertext 
using a public key, but converting ciphertext to plaintext 
requires the private key. 

• An asymmetric encryption scheme is considered to be broken 
if an attacker can decrypt a given ciphertext, even if he can 
convince you to decrypt arbitrary other ciphertexts. 
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Asymmetric encryption 



• Asymmetric encryption is like asymmetric signing, except the 
opposite way around: Plaintext is converted to ciphertext 
using a public key, but converting ciphertext to plaintext 
requires the private key. 

• An asymmetric encryption scheme is considered to be broken 
if an attacker can decrypt a given ciphertext, even if he can 
convince you to decrypt arbitrary other ciphertexts. 

• Most asymmetric encryption schemes have a fairly low limit 
on the size of the message which can be encrypted. 
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Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, 
SHA256, and MGF1-SHA256. 
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Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, 

SHA256, and MGF1-SHA256. 
» DON'T: Use PKCS vl.5 padding. 
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Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, 

SHA256, and MGF1-SHA256. 
» DON'T: Use PKCS vl.5 padding. 

• DON'T: Use RSA without message padding. 
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Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, 

SHA256, and MGF1-SHA256. 
» DON'T: Use PKCS vl.5 padding. 

• DON'T: Use RSA without message padding. 

• DO: Generate a random key and apply symmetric encryption 
to your message, then apply asymmetric encryption to your 
symmetric encryption key. 
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Asymmetric encryption 



• DO: Use RSAES-OAEP (RSA encryption with Optimal 
Asymmetric Encryption Padding). 

a DO: Use a 2048-bit RSA key, a public exponent of 65537, 

SHA256, and MGF1-SHA256. 
» DON'T: Use PKCS vl.5 padding. 

• DON'T: Use RSA without message padding. 

• DO: Generate a random key and apply symmetric encryption 
to your message, then apply asymmetric encryption to your 
symmetric encryption key. 

a DO: Be especially careful to avoid timing side channels in 
RSAES-OAEP. 
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a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 
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a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

9 DO: Avoid using passwords whenever possible. 
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a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

• DO; Avoid using passwords whenever possible. 

• DO: Use a key derivation function to convert passwords into 
keys as soon as possible. 
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a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

• DO; Avoid using passwords whenever possible. 

9 DO: Use a key derivation function to convert passwords into 
keys as soon as possible. 

a DO: Use PBKDF2 if you want to be buzzword-compliant. 
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a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

• DO; Avoid using passwords whenever possible. 

9 DO: Use a key derivation function to convert passwords into 
keys as soon as possible. 

a DO: Use PBKDF2 if you want to be buzzword-compliant. 
» DO: Use scrypt if you want to be « 2^ times more secure 
against serious attackers. 
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Passwords 



a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

• DO; Avoid using passwords whenever possible. 

9 DO: Use a key derivation function to convert passwords into 
keys as soon as possible. 

a DO: Use PBKDF2 if you want to be buzzword-compliant. 
» DO: Use scrypt if you want to be « 2^ times more secure 
against serious attackers. 

9 DON'T EVEN DREAM ABOUT: Storing your users' 
passwords on your server. 
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Passwords 



a Passwords / passphrases are often used directly for 
Identification, but can also be used for Encryption or 
Authentication. 

• DO; Avoid using passwords whenever possible. 

9 DO: Use a key derivation function to convert passwords into 
keys as soon as possible. 

a DO: Use PBKDF2 if you want to be buzzword-compliant. 
» DO: Use scrypt if you want to be « 2^ times more secure 
against serious attackers. 

9 DON'T EVEN DREAM ABOUT: Storing your users' 
passwords on your server. 

» No, not even if they're encrypted. 
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• SSL is a horrible system. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



• SSL is a horrible system. 

» SSL is far too complex to be implemented securely. 



Colin Percival Tarsnap cpercivaOtarsnap . com Everything you need to know about cryptography in 1 houi 



• SSL is a horrible system. 

0 SSL is far too complex to be implemented securely. 

a SSL gives attackers far too many options for where to attack. 
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• SSL is a horrible system. 

0 SSL is far too complex to be implemented securely, 
a SSL gives attackers far too many options for where to attack, 
a SSL requires that you decide which certificate authorities you 
want to trust. 
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a Do you trust the Chinese government? 
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0 SSL is far too complex to be implemented securely, 
a SSL gives attackers far too many options for where to attack, 
a SSL requires that you decide which certificate authorities you 
want to trust. 

a Do you trust the Chinese government? 

• Unfortunately, SSL is often the only option available. 
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SSL 



• SSL is a horrible system. 

0 SSL is far too complex to be implemented securely, 
a SSL gives attackers far too many options for where to attack, 
a SSL requires that you decide which certificate authorities you 
want to trust. 

a Do you trust the Chinese government? 

• Unfortunately, SSL is often the only option available. 

a DO: Distribute an asymmetric signature verification key (or a 
hash thereof) with the client side of client-server software, and 
use that to bootstrap your cryptography. 
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SSL 



• SSL is a horrible system. 

0 SSL is far too complex to be implemented securely, 
a SSL gives attackers far too many options for where to attack, 
a SSL requires that you decide which certificate authorities you 
want to trust. 

a Do you trust the Chinese government? 

• Unfortunately, SSL is often the only option available. 

a DO: Distribute an asymmetric signature verification key (or a 
hash thereof) with the client side of client-server software, and 
use that to bootstrap your cryptography. 

• DO: Use SSL to secure your website, email, and other public 
standard Internet- facing servers. 
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SSL 



• SSL is a horrible system. 

0 SSL is far too complex to be implemented securely, 
a SSL gives attackers far too many options for where to attack, 
a SSL requires that you decide which certificate authorities you 
want to trust. 

a Do you trust the Chinese government? 

• Unfortunately, SSL is often the only option available. 

a DO: Distribute an asymmetric signature verification key (or a 
hash thereof) with the client side of client-server software, and 
use that to bootstrap your cryptography. 

• DO: Use SSL to secure your website, email, and other public 
standard Internet-facing servers. 

» DO: Think very carefully about which certificate authorities 
you want to trust. 
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• DO: Consult a cryptographer if... 

a Your cryptography is going to be on hardware which attackers 
have physical access to (e.g., smartcards). 
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• DO: Consult a cryptographer if... 

a Your cryptography is going to be on hardware which attackers 

have physical access to (e.g., smartcards). 
» You need to use the minimum possible amount of power (e.g., 

on mobile phones). 
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• DO: Consult a cryptographer if... 

a Your cryptography is going to be on hardware which attackers 

have physical access to (e.g., smartcards). 
» You need to use the minimum possible amount of power (e.g., 

on mobile phones), 
a You need to process the maximum possible data rate (e.g., 10 

Gbps IPSec tunnels). 
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• DO: Consult a cryptographer if... 

a Your cryptography is going to be on hardware which attackers 

have physical access to (e.g., smartcards). 
» You need to use the minimum possible amount of power (e.g., 

on mobile phones), 
a You need to process the maximum possible data rate (e.g., 10 

Gbps IPSec tunnels), 
a You need to transmit the minimum possible number of bits 

(e.g., communicating with a nuclear submarine). 
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Weird stuff 



• DO: Consult a cryptographer if... 

a Your cryptography is going to be on hardware which attackers 

have physical access to (e.g., smartcards). 
» You need to use the minimum possible amount of power (e.g., 

on mobile phones), 
a You need to process the maximum possible data rate (e.g., 10 

Gbps IPSec tunnels), 
a You need to transmit the minimum possible number of bits 

(e.g., communicating with a nuclear submarine), 
a You want to ignore any of the advice I've given in this talk. 
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Questions? 
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